From 9ae986f18c0f251cba6bbc23eae2150a8ce0417e Mon Sep 17 00:00:00 2001
From: Amar Tumballi <amarts@redhat.com>
Date: Thu, 9 Aug 2018 13:00:01 +0530
Subject: server-protocol: don't allow '../' path in 'name'

This will prevent any arbitrary file creation through glusterfs
by modifying the client bits.

Also check for the similar flaw inside posix too, so we prevent any
changes in layers in-between.

Fixes: bz#1625095

Signed-off-by: Amar Tumballi <amarts@redhat.com>
Change-Id: Id9fe0ef6e86459e8ed85ab947d977f058c5ae06e
---
 xlators/storage/posix/src/posix-handle.h | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'xlators/storage/posix/src')

diff --git a/xlators/storage/posix/src/posix-handle.h b/xlators/storage/posix/src/posix-handle.h
index b12e8b9610c..621f8f4d450 100644
--- a/xlators/storage/posix/src/posix-handle.h
+++ b/xlators/storage/posix/src/posix-handle.h
@@ -142,6 +142,12 @@
                 break;                                                  \
         }                                                               \
                                                                         \
+        if (strstr (loc->name, "../")) {                                \
+                gf_msg (this->name, GF_LOG_ERROR, 0, P_MSG_ENTRY_HANDLE_CREATE, \
+                        "'../' in name not allowed: (%s)", loc->name); \
+                op_ret = -1;                                            \
+                break;                                                  \
+        }                                                               \
         if (LOC_HAS_ABSPATH (loc)) {                                    \
                 MAKE_REAL_PATH (entp, this, loc->path);                 \
                 __parp = strdupa (entp);                                \
-- 
cgit